AWS Certified Solutions Architect – Associate (SAA-C03) — Question 637

A company uses Amazon EC2 instances and Amazon Elastic Block Store (Amazon EBS) volumes to run an application. The company creates one snapshot of each EBS volume every day to meet compliance requirements. The company wants to implement an architecture that prevents the accidental deletion of EBS volume snapshots. The solution must not change the administrative rights of the storage administrator user.

Which solution will meet these requirements with the LEAST administrative effort?

Answer options

• A. Create an IAM role that has permission to delete snapshots. Attach the role to a new EC2 instance. Use the AWS CLI from the new EC2 instance to delete snapshots.
• B. Create an IAM policy that denies snapshot deletion. Attach the policy to the storage administrator user.
• C. Add tags to the snapshots. Create retention rules in Recycle Bin for EBS snapshots that have the tags.
• D. Lock the EBS snapshots to prevent deletion.

Correct answer: D

Explanation

Locking EBS snapshots using the EBS Snapshot Lock feature directly prevents them from being deleted, even by administrators, without requiring modifications to IAM policies or administrative rights. This provides a highly secure compliance control with the least amount of configuration effort. Other options, such as changing IAM policies, violate the constraint of not altering the storage administrator's existing rights.